suricata
detect-ttl.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersighdahiya@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements the ttl keyword including prefilter support.
25  */
26 
27 #include "suricata-common.h"
28 #include "stream-tcp.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 #include "detect-engine-uint.h"
34 
35 #include "detect-ttl.h"
36 #include "util-debug.h"
37 #include "util-byte.h"
38 
39 /* prototypes */
40 static int DetectTtlMatch (DetectEngineThreadCtx *, Packet *,
41  const Signature *, const SigMatchCtx *);
42 static int DetectTtlSetup (DetectEngineCtx *, Signature *, const char *);
43 void DetectTtlFree (DetectEngineCtx *, void *);
44 #ifdef UNITTESTS
45 void DetectTtlRegisterTests (void);
46 #endif
47 static int PrefilterSetupTtl(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
48 static bool PrefilterTtlIsPrefilterable(const Signature *s);
49 
50 /**
51  * \brief Registration function for ttl: keyword
52  */
53 
55 {
57  sigmatch_table[DETECT_TTL].desc = "check for a specific IP time-to-live value";
58  sigmatch_table[DETECT_TTL].url = "/rules/header-keywords.html#ttl";
59  sigmatch_table[DETECT_TTL].Match = DetectTtlMatch;
60  sigmatch_table[DETECT_TTL].Setup = DetectTtlSetup;
62 #ifdef UNITTESTS
64 #endif
65  sigmatch_table[DETECT_TTL].SupportsPrefilter = PrefilterTtlIsPrefilterable;
66  sigmatch_table[DETECT_TTL].SetupPrefilter = PrefilterSetupTtl;
67 
68  return;
69 }
70 
71 /**
72  * \brief This function is used to match TTL rule option on a packet with
73  * those passed via ttl
74  *
75  * \param t pointer to thread vars
76  * \param det_ctx pointer to the pattern matcher thread
77  * \param p pointer to the current packet
78  * \param m pointer to the sigmatch that we will cast into DetectU8Data
79  *
80  * \retval 0 no match
81  * \retval 1 match
82  */
83 static int DetectTtlMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
84  const Signature *s, const SigMatchCtx *ctx)
85 {
86  if (PKT_IS_PSEUDOPKT(p))
87  return 0;
88 
89  uint8_t pttl;
90  if (PKT_IS_IPV4(p)) {
91  pttl = IPV4_GET_IPTTL(p);
92  } else if (PKT_IS_IPV6(p)) {
93  pttl = IPV6_GET_HLIM(p);
94  } else {
95  SCLogDebug("Packet is not IPv4 or IPv6");
96  return 0;
97  }
98 
99  const DetectU8Data *ttld = (const DetectU8Data *)ctx;
100  return DetectU8Match(pttl, ttld);
101 }
102 
103 /**
104  * \brief this function is used to attld the parsed ttl data into the current signature
105  *
106  * \param de_ctx pointer to the Detection Engine Context
107  * \param s pointer to the Current Signature
108  * \param ttlstr pointer to the user provided ttl options
109  *
110  * \retval 0 on Success
111  * \retval -1 on Failure
112  */
113 static int DetectTtlSetup (DetectEngineCtx *de_ctx, Signature *s, const char *ttlstr)
114 {
115  DetectU8Data *ttld = DetectU8Parse(ttlstr);
116  if (ttld == NULL)
117  return -1;
118 
119  SigMatch *sm = SigMatchAlloc();
120  if (sm == NULL) {
121  DetectTtlFree(de_ctx, ttld);
122  return -1;
123  }
124 
125  sm->type = DETECT_TTL;
126  sm->ctx = (SigMatchCtx *)ttld;
127 
130  return 0;
131 }
132 
133 /**
134  * \brief this function will free memory associated with DetectU8Data
135  *
136  * \param ptr pointer to DetectU8Data
137  */
139 {
140  rs_detect_u8_free(ptr);
141 }
142 
143 /* prefilter code */
144 
145 static void
146 PrefilterPacketTtlMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
147 {
148  if (PKT_IS_PSEUDOPKT(p)) {
149  SCReturn;
150  }
151 
152  uint8_t pttl;
153  if (PKT_IS_IPV4(p)) {
154  pttl = IPV4_GET_IPTTL(p);
155  } else if (PKT_IS_IPV6(p)) {
156  pttl = IPV6_GET_HLIM(p);
157  } else {
158  SCLogDebug("Packet is not IPv4 or IPv6");
159  return;
160  }
161 
162  const PrefilterPacketHeaderCtx *ctx = pectx;
163  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
164  return;
165 
166  DetectU8Data du8;
167  du8.mode = ctx->v1.u8[0];
168  du8.arg1 = ctx->v1.u8[1];
169  du8.arg2 = ctx->v1.u8[2];
170  if (DetectU8Match(pttl, &du8)) {
171  SCLogDebug("packet matches ttl/hl %u", pttl);
172  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
173  }
174 }
175 
176 static int PrefilterSetupTtl(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
177 {
179  PrefilterPacketU8Compare, PrefilterPacketTtlMatch);
180 }
181 
182 static bool PrefilterTtlIsPrefilterable(const Signature *s)
183 {
184  const SigMatch *sm;
185  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
186  switch (sm->type) {
187  case DETECT_TTL:
188  return true;
189  }
190  }
191  return false;
192 }
193 
194 #ifdef UNITTESTS
195 #include "tests/detect-ttl.c"
196 #endif
util-byte.h
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1287
DETECT_TTL
@ DETECT_TTL
Definition: detect-engine-register.h:45
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:566
SigTableElmt_::desc
const char * desc
Definition: detect.h:1286
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1274
SigTableElmt_::name
const char * name
Definition: detect.h:1284
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1053
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:246
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1438
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1181
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:826
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1269
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1272
DetectU8Parse
DetectUintData_u8 * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
Definition: detect-engine-uint.c:85
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1074
detect.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:344
DetectU8Data
DetectUintData_u8 DetectU8Data
Definition: detect-engine-uint.h:43
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:108
PrefilterPacketU8Set
void PrefilterPacketU8Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:90
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:343
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:582
Packet_
Definition: decode.h:430
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:653
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1252
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
detect-ttl.c
detect-ttl.h
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:335
DetectTtlRegisterTests
void DetectTtlRegisterTests(void)
this function registers unit tests for DetectTtl
Definition: detect-ttl.c:212
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectUintData_u8 *du8)
Definition: detect-engine-uint.c:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:341
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1271
DetectTtlFree
void DetectTtlFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectU8Data
Definition: detect-ttl.c:138
detect-parse.h
Signature_
Signature container.
Definition: detect.h:581
SigMatch_
a single match condition for a signature
Definition: detect.h:340
IPV6_GET_HLIM
#define IPV6_GET_HLIM(p)
Definition: decode-ipv6.h:90
PrefilterPacketU8Compare
bool PrefilterPacketU8Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:98
detect-engine-prefilter-common.h
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:245
DetectTtlRegister
void DetectTtlRegister(void)
Registration function for ttl: keyword.
Definition: detect-ttl.c:54
IPV4_GET_IPTTL
#define IPV4_GET_IPTTL(p)
Definition: decode-ipv4.h:146
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1276
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:242